London, UK - 12 February 2004, 11:30 GMT - Many analysts are misleading
decision makers that the MyDoom epidemic is scheduled to end today. MyDoom.a
is programmed to stop spreading today, marking the end of the first phase
of the fastest spreading and most economically damaging malware to date. However,
the back door component of the malware has no time limit so the TCP 3127 port
remains open until the infected machines are cleaned. Last night the number
of scans targeting or originating from port 3127 reached half a million as
measured from multiple-locations worldwide. This suggests that MyDoom.a is
still running on hundreds of thousands of infected computers allowing other
MyDoom variants and hackers to prowl actively for infected machines. Variants
of MyDoom and associated malware, like Deadhat, continue to surface and more
are likely to be in the pipeline based on the trend established in the last
two weeks.